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Annotation: Users no longer trust traditional password-based authentication methods since so many online 
services now interact with one another. Credentials obtained online are often used to reclaim additional 
credentials, and sophisticated assaults often target the weakest of a large number of available credentials. One- 
time passwords and a two-factor authentication mechanism appear to be a natural improvement over traditional 
username/password schemes, thus researchers are looking into them. The OTP verifier is deployed to the cloud in 
this manuscript to facilitate its use by cloud service providers. OTP providers can outsource their OTP 
deployments to the cloud and cloud customers can activate their accounts on the OTP provider across many cloud 
services when the OTP verifier is hosted in the cloud as a service. This lets them take advantage of multiple cloud 
services without having to juggle multiple OTP accounts. Alternatively, OTP service provision prevents novice 
SMEs from overspending on OTP provisioning hardware, software, and staff. This paper presents the architecture 
necessary to create a trustworthy OTP provider in the cloud, one that respects users' right to privacy. The OTP 
provider registration, activation, and authentication processes for cloud users are examined. We define and 
evaluate the privacy and security implications of the suggested architecture. With these assumptions in place, 
attacks from unknown sources, user profiles with unlinkable features, inquisitive service providers, and OTP 
verifiers are all thwarted. The analysis ensures the reliability and validity of the proposed solution, which places 
the OTP supplier in the cloud. 


Keywords: OTP, Cloud, Authentication, Multiple Services, Hardware, Software, Modern Security Measures. 


Introduction 


The primary objective of this work is to provide a trustworthy OTP provider in the cloud that can be used to 
delegate the use of the second authentication factor [1]. A common type of multi-factor authentication is two- 
factor authentication [2-4]. The goal of this proposed architecture is to make it easier for smaller and medium- 
sized organisations to implement an OTP solution for their own authentication needs [5-12]. Many social, tailored, 
or opportunistic assaults can compromise current authentication techniques such as the traditional knowledge 
factor [13]. It's also quite pricey to make the switch from antiquated infrastructure to modern security measures 
[14-17]. 
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Expertise, possession, and inherence are three methods that can be used for user authentication [18]. As its name 
implies, the know-how requirement for identity verification demands for some sort of information that a user 
should be familiar with [19-21]. Common activities like entering login information fall within this category. This 
approach assumes the username is known to the public and the password is known only to the user. Providing they 
only have the password for the relevant software, authentication is foolproof. However, as our experiences in the 
real world have taught us, passwords aren't always easy to keep safe, and the human mind isn't great at juggling a 
lot of different passwords for different services [22-27]. In 2-factor authentication, one of the most popular 
possession components is the use of one-time passwords (OTPs), which can authenticate owners by having them 
verify their possession of a pre-shared advantage. Token-based authentication (TFA) is a common type of multi- 
factor authentication (MFA) [28]. Training data will consist of the well-known username and password 
combination [29-31]. Since this is the most widely used method of authentication, it is included in and made 
available by nearly every TFA implementation. Multi-factor authentication for end-users and the cloud has been 
implemented using this proposed approach [32-35]. 


The suggested approach allows businesses to save money on the OTP-based TFA transition from the employee 
training, hardware, and software points of view [36-39]. Users may also easily manage many accounts in one spot, 
albeit with profiles that aren't particularly appealing. Many cloud service providers may find it easier to use OTP 
in large quantities if they are able to outsource the service to the cloud, where they can avoid making costly 
upfront investments [40]. The proposed method works well as a two-factor authentication security mechanism and 
comes with a wide variety of settings to tweak [41-47]. Regular password management, credential management, 
and other similar features are just the beginning of what user profiles on user devices can be used for [48]. 


Literature Survey 


In this research, we offer a unique challenge/response-based OTP mutual authentication technique. Users and 
servers exchange hashes of random sub-passwords generated by the technique. The approach generates generally 
independent OTPs by executing modular algebraic operations on two or more randomly generated sub-passwords 
[49-53]. Used sub-passwords are rotated out and replaced with fresh ones using a random permutation mechanism. 
Numerous one-time passwords (OTPs) can be generated from tens of randomly generated sub-passwords. A 
microprocessor installed at the client terminal can handle all the data storage and processing. Simultaneously, the 
scheme can offer adequate protection for common uses [60-65]. 


Twenty years of study haven't solved the problem of creating a reliable anonymous two-factor authentication 
solution. The designers must contend with a lengthy wish list of features and strict security requirements [66-71]. 
While several solutions have been presented, most fall short in either meeting all necessary security standards or 
providing all necessary functionality. Without addressing the underlying question of whether or not we are limited 
in our ability to develop a "ideal" scheme that achieves all the required aims, scholars typically work around this 
unsatisfactory scenario in the hopes of a fresh suggestion [72-75]. According to our findings, it is impossible to 
achieve some objectives using the standard adversarial paradigm. To the best of our knowledge, this research is 
the first step toward elucidating the underlying evaluation metric for anonymous two-factor authentication, which 
we expect will lead to the improved design of anonymous two-factor protocols that provide suitable trade-offs 
among usability, security, and privacy [76-81]. 


Compared to other forms of authentication, such as those based on goods or knowledge, biometrics authentication 
has various advantages [82-87]. Employee ID cards are commonly accepted as proof of identity in the traditional 
sense. The same password may be used for years by a big group of coworkers without needing to be changed. One 
of biometrics authentication's main benefits is that it is both unreliable and easy to use. However, there are specific 
security risks unique to biometrics that must be taken into account while using such systems. Brute-force assaults 
against biometrics systems are discussed, however the majority of these dangers arise from the system's reliance 
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on digital signals and the necessity of extra input devices. All pattern recognition systems have their share of 
problems. We now add "chameleons" to the list, which also includes "wolves" and "lambs." When enrolling with 
biometrics, users must submit an image of a private body portion, which raises privacy concerns [88-95]. 


We take a look at the issue of acoustic reverberations from keyboards. We introduce a unique technique that can 
recover up to 96% of typed characters from a 10-minute audio recording of a user typing English text on a 
keyboard. A labelled training recording is unnecessary [96-99]. The recognizer bootstrapped in this manner is so 
advanced that it can decipher passwords and other forms of random text. In our experiments,90 percent of 5- 
character random passwords using only letters can be generated in fewer than 20 attempts by an adversary; 80 
percent of 10-character passwords can be formed in fewer than 75 attempts. To rebuild text from sound recordings 
without labelled training data, our attack leverages the statistical restrictions of the underlying content, the English 
language [100]. Cestrum features, Hidden Markov Models, linear classification, and feedback-based incremental 
learning are only some of the typical machine learning and speech recognition approaches that are employed in 
this attack [101-105]. 


Cryptographic methods of authentication have many potential applications. This paper presents authentication 
protocols that rely on one-time passwords, which are more secure than the more usual fixed passwords. Leslie 
Lampard suggested utilising one-way functions to obtain one-time passwords in his paper Password 
Authentication using Insecure Communication [106-111]. These tasks frequently employ cryptographic hash 
functions due to their ease of use. After discussing the drawbacks of using hash functions, a more versatile one- 
time password system will be obtained by employing functions on groups of composite numbers [112-119]. 


Proposed Model 


The suggested approach allows businesses to save money on the OTP-based TFA transition from the employee 
training, hardware, and software points of view. Users may also easily manage many accounts in one spot, albeit 
with profiles that aren't particularly appealing [120-123]. Many cloud service providers may find it easier to use 
OTP in large quantities if they are able to outsource the service to the cloud, where they can avoid making costly 
upfront investments. The proposed method works well as a two-factor authentication security mechanism and 
comes with a wide variety of settings to tweak [124-129]. Regular password management, credential management, 
and other similar features are just the beginning of what user profiles on user devices can be used for [130]. 


Credentials obtained online are often used to reclaim additional credentials, and sophisticated assaults often target 
the weakest of a large number of available credentials. The ability to withstand DoS assaults, corrupt insiders, 
third-party access, and OTP replay/liven attacks, among other threats, is essential. The old method of logging in 
using a username and password is now obsolete [131-135]. 


In this section, requests from owners with varying levels of security will be owned by cloud proprietors. Owners 
of cloud storage services will check user credentials and validate the scanned documents phase. They will abandon 
computer user requests if they cannot find relevant paperwork and accurate information [136-141]. If the user's 
request is approved by the cloud, a unique user ID will be generated and sent to them through email. Consumption 
may be eligible to make use of lengthy special criteria based on consumer protection choice. If his security is high, 
he is free to use any of the basic protections available to him. Both software and hardware components of this 
system are required for development [142]. 


The software products' needs are laid out in technical detail in the requirements specification. In the first phase of 
requirements analysis, you document the features, capabilities, and constraints that your software system must 
meet [143-151]. User, operational, and administrative use cases are also provided in the requirements. The 
software requirements specification describes the software project in great detail, including its scope, 
characteristics, and objectives. This document details the project's intended users, interface, and necessary gear 
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and software. It describes the project from the perspective of the client, the team, and the target audience [152- 
159]. 


Tomcat provides an environment for Java code to execute in tandem with a web server by implementing the Sun 
Microsystems servlet and Java Server Pages specifications [160]. It's possible to alter its settings by modifying its 
configuration files, which are typically written in XML format. Tomcat is a standalone web server in addition to 
having its own built-in HTTP server. 


Design is the process of specifying a system's structure, parts, modules, interfaces, and data in order to meet those 
needs. The design documents the system's architecture, its functions, and the modules that make it up. In what 
follows, you'll find specifics on how each of the four models is constructed [161-166]. 


In-depth process definition and a bird's-eye view of the model's operations are provided by the system architecture 
[167]. 


Refining the designs, specs, and estimations are all part of the detailed design process. For easier comprehension 
of the modules' features, they are diagrammatically described [168]. 


The Case in Point A diagram is a graphical representation of the players, their goals, and the dependencies 
between use cases that make up a system. 


There are two sections to a use case diagram: 


Example of Use: Use cases, typically represented by a horizontal ellipse, outline a set of steps that benefit a user in 
some measurable way. 


An actor is any entity outside of the system that participates in or influences any aspect of the system's behaviour 
(fig.1). 
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Fig. 1: Use Case Diagram 


An example of an interaction diagram, a Sequence diagram illustrates the sequential execution of many 
operations. Message Sequence diagrams, also known as event diagrams, event scene diagrams, and timing 
diagrams, are where this concept first appeared [169-171]. 


Class diagrams in the Unified Modelling Language are a sort of static structural diagram that show the classes, 
attributes, operations (or methods), and interactions between objects that make up a system's structure [172-175]. 


Workflows can be represented graphically using activity diagrams, which allow for branching, iteration, and 
concurrent processing of a series of activities and actions. A control flow is depicted in an activity diagram [176]. 


The connection and cooperation between software components are depicted in UML Collaboration Diagrams. In 
order for them to work, there must first be established use cases, system operation contracts, and domain models. 
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The collaboration diagram shows how classes and objects communicate with one another through the exchange of 
messages [177-181]. 


Result and Discussion 


Credentials obtained online are often used to reclaim additional credentials, and sophisticated assaults often target 
the weakest of a large number of available credentials [182-184]. The ability to withstand DoS assaults, corrupt 
insiders, third-party access, and OTP replay/liven attacks, among other threats, is essential [185-189]. The 
suggested approach allows businesses to save money on the OTP-based TFA transition from the employee 
training, hardware, and software points of view. Users may also easily manage many accounts in one spot, albeit 
with profiles that aren't particularly appealing. Many cloud service providers may find it easier to use OTP in large 
quantities if they are able to outsource the service to the cloud, where they can avoid making costly upfront 
investments [190]. The proposed method works well as a two-factor authentication security mechanism and comes 
with a wide variety of settings to tweak. Regular password management, credential management, and other similar 
features are just the beginning of what user profiles on user devices can be used for [191-194]. 


In this section, the user must sign up for a cloud account by entering certain personal information. After a user 
registers, loud creates a unique token based on the user's information and gives it to the user via email. After 
receiving the token via email, the user will wish to enter it to verify his identity [195]. If he enters an invalid 
token, his information will not be saved to the cloud. Ifa valid token is entered, the user is presented with a menu 
from which to select various securities. The next step in the security process is for the user to verify their identity 
using a captcha and a cloud OTP. 


In this section, cloud operators will field requests from customers using a wide range of security settings. The 
cloud service providers will check the user information and the documents one by one. If they cannot locate the 
necessary paperwork and information, they will reject the user's request. In the event that the cloud service 
provider grants the request, the user will be issued a unique UID. Depending on the user's chosen level of security, 
they may be able to make use of the system for the designated applications. 


In this section, the user will open a bank account and deposit the funds into the account. The user's mobile phone 
number will only be used once during the registration process of a chat app with traditional security, and the cloud 
will only verify the user once using the classic cloud OTP service. When using a chat app, we can open individual 
messages and read them by touching on them. In addition, we can send a voice message by transcribing audio into 
text. 


The virtual supermarket is a safe OTP service for online food shopping. Users can browse available products, add 
selected items to their shopping carts, and discard unwanted items. Users also have the option to modify the 
quantity of items in their shopping basket. Both modern and time-tested commerce standards are supported by this 
e-commerce platform. All purchases will require your approval. NEFT Transaction is a secure OTP service 
software that can instantaneously transfer funds to a recipient's bank account. The current account balance can also 
be viewed. This stringent safety provides access to all the benefits of a reliable, standard OTP service. Every time 
a user logs in, he will be prompted to give his consent or not. The Bank app features a feature dubbed "online bank 
account creation,” which allows the user to provide KYC information without physically visiting a branch. If he 
already has a highly secure cloud account, he can simply submit his cloud service and user UID to the bank and 
import all of his data. OTP can be obtained by the user if he provides specifics. All of your KYC information will 
be transferred into the banking app once you've completed the OTP process. 


Hashed or Hash-based Message Authentication Code is the acronym for the HMAC algorithm. It is the product of 
research into cryptographic hash functions, which led to the development of a MAC. Since HMAC employs the 
Hashing idea twice, it is extremely resistant to cryptanalysis attempts. HMAC is more secure than any other 
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authentication code since it combines the advantages of Hashing and MAC. HMAC is required to be used for IP 
security as of the publication of RFC 2104. 


TOMCAT 7.0 and MYSQL 5.0 are used in the studies. Toolbox, which is included in TOMCAT, is used to carry 
out the computations. User credentials for accessing an environment built using the proposed system, as well as a 
sample one-time password built to test the computation response, can be entered in the login screenshot. When the 
OTP was used with the Cloud Application, access was preplanned along with security terms and the output image. 
The data is then trained using a common strategy across all methods. Some data is saved for use in training, while 
the rest is used to put theories to the test. Therefore, the outcome agrees with the predicted one, and the desired 
level of security is attained in comparison to the baseline model. 


Conclusion 


Small and medium-sized enterprises, as well as individual users, can benefit from cloud-based OTP services by 
making the switch from a username/password authentication strategy to an OTP-based two-factor authentication 
plan. The security and privacy concerns associated with moving the OTP application to the cloud have been taken 
under serious consideration. Imperfections that can be achieved are discussed, as are the consequences of doing 
so. There has been talk about preventative measures and reasonable solutions. Note that the proposed architecture 
doesn't address the issues with learning vulnerability or wondering strikes that plague conventional 
username/password combinations. On the other hand, these problems will emerge if another component of 
standard authentication is implemented. This is standard practise because conflicts stemming from human 
dynamics are notoriously tricky to prevent. The attack model and a realistic scenario for its application are 
established. The necessary safeguards for a standard OTP provision in the cloud are specified. 
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